Credit agencies sending our files abroad

David Lazarus

Published
4:00 am PST, Friday, November 7, 2003

Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time.

Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas.

For their part, the credit agencies say the trend is a necessary cost- cutting move in light of new legislation that would allow all consumers to obtain free copies of their credit reports.

The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer.

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year."

Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

The act would require credit agencies to provide copies of personal credit files to anyone who asks -- an expense that TransUnion, for one, estimates could cost the company as much as $350 million a year.

A credit file serves as a snapshot of one's legal identity and financial status. It contains a person's name, address, date of birth, Social Security number and details of relationships with all credit-card issuers and other lenders.

Emery also said the decision to "offshore" a key customer service was necessitated by "the competition placed on us by Equifax and Experian."

Equifax, he said, was the first major credit agency to move operations abroad, establishing a facility in the Caribbean. Experian, meanwhile, is "actively testing" work with an overseas affiliate, Emery said.

"We had to get into this process for defensive reasons," he said.

An Equifax spokesman's first response when asked about the Atlanta company's outsourcing was to insist that all customer service was handled at North American facilities. Confronted with TransUnion's remarks, though, a senior Equifax official later offered a different answer.

"We have a vendor in Jamaica," said Rob Hogan, senior vice president of customer services. "The Jamaican workers handle data entry at the very beginning of the reinvestigation process (for disputed credit reports)."

He said the overseas workers had "limited access" to consumers' credit files but were "closely supervised by our Atlanta office."

Hogan acknowledged that Equifax had had "problems from time to time" with consumers' privacy being compromised. But he said each problem had led to improvements in security. He also said there had been no known security breaches in the four years that Equifax has outsourced to Jamaica.

An Experian spokesman, Addrian Brooks, denied Trans Union's assertion that the Costa Mesa company is now "actively testing" an overseas operation. "We are confident that Trans Union doesn't know what our plans are because we don't know what their plans are," he said.

However, Brooks repeatedly emphasized that Experian could outsource work abroad at any time.

"We definitely are evaluating every option on the table, and offshoring is one of them," he said. "I don't want to be quoted as saying we'll never do it."

"Are we saying that Hindus are more criminal?" asked Stuart Pratt, president of the Consumer Data Industry Association, a trade group for credit- reporting agencies. "Are we saying that workers in India are less safe? That strikes me as xenophobic, and I don't want to go there."

But privacy advocates say that this isn't a question of people's being more or less trustworthy in one place or another. It's a question of enforcement of strict U.S. laws.

In fact, the Indian government, largely at the urging of privacy- conscious European officials, is working on new legislation aimed at better controlling the country's rapidly growing data-processing industry.

But privacy advocates note that India passed a similar cyber-crime law several years ago making it illegal to steal information from computers. Since then, only 11 people have been charged with violating the law and, of that number, only two cases are being prosecuted.

"If you're an international crime ring, and you want Social Security numbers for identity theft, you're going to look at the weakest link," said Givens at the Privacy Rights Clearinghouse. "And that's quite possibly these overseas companies."

The credit-rating agencies say that privacy and security are their most important considerations and that they hold overseas affiliates to the same high standards that they hold their domestic offices.

However, California's two Democratic senators expressed alarm that the agencies are outsourcing work.

"The application of American law in a foreign country is difficult, if not impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move overseas, the less American law can control the uses for which personal data is put. And this can only represent an increasing threat to the privacy of our citizens."

Sen. Barbara Boxer said she would ensure that the matter was raised as senators and House members completed changes to the Fair Credit Reporting Act.

"This information is very significant, and I intend to make sure that the conferees who are finalizing the bill are aware of The Chronicle's investigation in hopes that they will protect Americans from such outrageous invasions of privacy," Boxer said.